feat: move in fluentd-drain-watch

Signed-off-by: Bence Csati <[email protected]>

Author: csatib02

.github/workflows/dependency-images.yaml

@@ -50,4 +50,15 @@ jobs:
       contents: read
       packages: write
       id-token: write
-      security-events: write
+      security-events: write
+
+  fluentd-drain-watch:
+    name: Fluentd drain watch
+    uses: ./.github/workflows/fluentd-drain-watch.yaml
+    with:
+      publish: ${{ inputs.publish }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write

.github/workflows/fluentd-drain-watch.yaml

@@ -0,0 +1,136 @@
+name: Fluentd drain watch
+
+on:
+  workflow_call:
+    inputs:
+      publish:
+        description: Publish artifacts to the artifact store
+        default: false
+        required: false
+        type: boolean
+
+permissions:
+  contents: read
+
+
+jobs:
+  fluentd-drain-watch-image:
+    name: Fluentd drain watch image
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        if: ${{ inputs.publish }}
+
+      - name: Set image name
+        id: image-name
+        run: echo "value=ghcr.io/${{ github.repository }}/fluentd-drain-watch" >> "$GITHUB_OUTPUT"
+
+      - name: Gather build metadata
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ steps.image-name.outputs.value }}
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{raw}}
+            type=raw,value=latest,enable={{is_default_branch}}
+          labels: |
+            org.opencontainers.image.description=Fluentd drain watch image for the Logging operator.
+            org.opencontainers.image.title=Logging operator Fluentd drain watch image
+            org.opencontainers.image.authors=Kube logging authors
+            org.opencontainers.image.documentation=https://kube-logging.dev/docs/
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+        if: ${{ inputs.publish }}
+
+      - name: Build and push fluentd-drain-watch image
+        id: build
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: images/fluentd-drain-watch
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          outputs: |
+            type=image,push=${{ inputs.publish }},name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+            type=oci,dest=image.tar,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+
+      - name: Sign image with GitHub OIDC Token
+        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS[@]}; do
+            images+="${tag}@${DIGEST} "
+          done
+          
+          cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
+
+      - name: Verify signed image with cosign
+        if: ${{ inputs.publish && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          for tag in ${TAGS[@]}; do
+            cosign verify "${tag}@${DIGEST}" \
+              --rekor-url "https://rekor.sigstore.dev/" \
+              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/fluentd-drain-watch.yaml@${{ github.ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+          done
+
+      - name: Extract OCI tarball
+        run: |
+          mkdir -p image
+          tar -xf image.tar -C image
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          input: image
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: "[${{ github.job }}] Trivy scan results"
+          path: trivy-results.sarif
+          retention-days: 5
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
+        with:
+          sarif_file: trivy-results.sarif

Makefile

@@ -44,15 +44,13 @@ GOVERSION := $(shell go env GOVERSION)
 FLUENTD_IMG ?= fluentd-full:local
 CONFIG_RELOADER_IMG ?= config-reloader:local
 SYSLOG_NG_RELOADER_IMG ?= syslog-ng-reloader:local
+FLUENTD_DRAIN_WATCH_IMG ?= fluentd-drain-watch:local
 OPERATOR_IMG ?= controller:local
 OPERATOR_IMG_DEBUG ?= controller:debug
 
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS ?= crd:maxDescLen=0
 
-DRAIN_WATCH_IMAGE_TAG_NAME ?= ghcr.io/kube-logging/fluentd-drain-watch
-DRAIN_WATCH_IMAGE_TAG_VERSION ?= latest
-
 VERSION := $(shell git describe --abbrev=0 --tags)
 
 E2E_TEST_TIMEOUT ?= 20m
@@ -117,11 +115,12 @@ docker-build-e2e-test: ## Build the coverage docker image
 	sed -i'' -e 's@image: .*@image: '"${OPERATOR_IMG}"'@' ./config/default/manager_image_patch.yaml
 	${DOCKER} build -t ${CONFIG_RELOADER_IMG} images/config-reloader
 	${DOCKER} build -t ${SYSLOG_NG_RELOADER_IMG} images/syslog-ng-reloader
+	${DOCKER} build -t ${FLUENTD_DRAIN_WATCH_IMG} images/fluentd-drain-watch
 	${DOCKER} build -t ${FLUENTD_IMG} --target full images/fluentd
 
 .PHONY: docker-build-drain-watch
 docker-build-drain-watch: ## Build the drain-watch docker image
-	${DOCKER} build drain-watch-image -t ${DRAIN_WATCH_IMAGE_TAG_NAME}:${DRAIN_WATCH_IMAGE_TAG_VERSION}
+	${DOCKER} build drain-watch-image -t ${FLUENTD_DRAIN_WATCH_IMG} images/fluentd-drain-watch
 
 .PHONY: docker-push
 docker-push: ## Push the docker image

images/fluentd-drain-watch/Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine:3.21.3@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
+
+RUN apk add curl
+
+COPY drain-watch.sh /bin/drain-watch.sh
+
+ENTRYPOINT ["/bin/drain-watch.sh"]

images/fluentd-drain-watch/README.md

@@ -0,0 +1,21 @@
+# Fluentd Drain Watch
+
+Fluentd Drain Watch is a monitoring script that ensures proper shutdown of Fluentd by waiting for its RPC endpoint to become available, monitoring buffer files, and terminating custom workers when no buffers remain.
+
+## Features
+
+- Waits for Fluentd's RPC endpoint to be available before proceeding.
+- Monitors a custom-runner HTTP endpoint.
+- Ensures all buffer files are processed before exiting.
+- Triggers termination of custom workers upon completion.
+
+## Usage
+
+Set required environment variables before running:
+
+```sh
+export BUFFER_PATH=/path/to/buffers
+export CHECK_INTERVAL=60  # Optional, default is 60 seconds
+export RPC_ADDRESS=127.0.0.1:24444  # Optional, default is 127.0.0.1:24444
+export CUSTOM_RUNNER_ADDRESS=127.0.0.1:7357  # Optional, default is 127.0.0.1:7357
+```

images/fluentd-drain-watch/drain-watch.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+CHECK_INTERVAL="${CHECK_INTERVAL:-60}"
+RPC_ADDRESS="${RPC_ADDRESS:-127.0.0.1:24444}"
+CUSTOM_RUNNER_ADDRESS="${CUSTOM_RUNNER_ADDRESS:-127.0.0.1:7357}"
+
+[ -z "$BUFFER_PATH" ] && exit 2
+
+# this loop will not go on indefinitely because the fluentd RPC endpoint should
+# come up eventually and won't terminate without a signal from outside (barring errors)
+echo '['$(date)']' 'waiting for fluentd RPC endpoint to become available'
+until netstat -tln | grep "$RPC_ADDRESS" >/dev/null
+do
+  [ -z "$DEBUG" ] && echo '['$(date)']' 'fluentd RPC endpoint not available, waiting'
+  sleep 1
+done
+
+# this loop will not go on indefinitely because the custom-runner's HTTP endpoint should
+# come up eventually and won't terminate without a signal from outside (barring errors)
+echo '['$(date)']' 'waiting for custom-runner HTTP endpoint to become available'
+until curl -so /dev/null ${CUSTOM_RUNNER_ADDRESS}
+do 
+  [ -z "$DEBUG" ] && echo '['$(date)']' 'custom-runner HTTP endpoint not available, waiting'
+  sleep 1
+done
+
+echo '['$(date)']' 'waiting for fluentd to exit' # i.e. stop listening on the RPC address
+while netstat -tln | grep "$RPC_ADDRESS" >/dev/null
+do
+  [ -z "$DEBUG" ] && echo '['$(date)']' 'RPC endpoint still listening'
+
+  if [ "$(find $BUFFER_PATH -iname '*.buffer' -or -iname '*.buffer.meta' | wc -l)" = 0 ]
+  then
+    echo '['$(date)']' 'exiting node exporter custom runner:' "$(curl --silent --show-error http://$CUSTOM_RUNNER_ADDRESS/exit)"
+    echo '['$(date)']' 'no buffers left, terminating workers:' "$(curl --silent --show-error http://$RPC_ADDRESS/api/processes.killWorkers)"
+    exit 0
+  fi
+
+  sleep "$CHECK_INTERVAL"
+done
+
+echo '['$(date)']' 'checking for remaining buffers'
+[ "$(find $BUFFER_PATH -iname '*.buffer' -or -iname '*.buffer.meta' | wc -l)" -gt 0 ] && exit 1
+
+exit 0

pkg/sdk/logging/api/v1beta1/fluentd_types.go

@@ -239,12 +239,10 @@ func (f *FluentdSpec) SetDefaults() error {
 			f.ConfigReloaderImage.Repository = DefaultFluentdConfigReloaderImageRepository
 		}
 		if f.ConfigReloaderImage.Tag == "" {
-			if f.ConfigReloaderImage.Tag == "" {
-				if Version == "" {
-					f.ConfigReloaderImage.Tag = DefaultFluentdConfigReloaderImageTag
-				} else {
-					f.ConfigReloaderImage.Tag = Version
-				}
+			if Version == "" {
+				f.ConfigReloaderImage.Tag = DefaultFluentdConfigReloaderImageTag
+			} else {
+				f.ConfigReloaderImage.Tag = Version
 			}
 		}
 		if f.ConfigReloaderImage.PullPolicy == "" {
@@ -312,7 +310,11 @@ func (f *FluentdSpec) SetDefaults() error {
 			f.Scaling.Drain.Image.Repository = DefaultFluentdDrainWatchImageRepository
 		}
 		if f.Scaling.Drain.Image.Tag == "" {
-			f.Scaling.Drain.Image.Tag = DefaultFluentdDrainWatchImageTag
+			if Version == "" {
+				f.Scaling.Drain.Image.Tag = DefaultFluentdDrainWatchImageTag
+			} else {
+				f.Scaling.Drain.Image.Tag = Version
+			}
 		}
 		if f.Scaling.Drain.Image.PullPolicy == "" {
 			f.Scaling.Drain.Image.PullPolicy = "IfNotPresent"

pkg/sdk/logging/api/v1beta1/logging_types.go

@@ -209,8 +209,8 @@ const (
 	DefaultFluentdImageRepository                 = "ghcr.io/kube-logging/logging-operator/fluentd"
 	DefaultFluentdImageTag                        = "latest-full"
 	DefaultFluentdBufferStorageVolumeName         = "fluentd-buffer"
-	DefaultFluentdDrainWatchImageRepository       = "ghcr.io/kube-logging/fluentd-drain-watch"
-	DefaultFluentdDrainWatchImageTag              = "v0.2.4"
+	DefaultFluentdDrainWatchImageRepository       = "ghcr.io/kube-logging/logging-operator/fluentd-drain-watch"
+	DefaultFluentdDrainWatchImageTag              = "latest"
 	DefaultFluentdDrainPauseImageRepository       = "registry.k8s.io/pause"
 	DefaultFluentdDrainPauseImageTag              = "3.9"
 	DefaultFluentdVolumeModeImageRepository       = "docker.io/library/busybox"